1. Statement of the Technical Field
The present invention relates to network security and more particularly to wireless computer network security.
2. Description of the Related Art
Wireless local area network (LAN) technology has become an integral part of the modern computer network architecture. Falling prices and intuitive, low-tech installation requirements have resulted in the unstoppable proliferation of wireless LAN access points about the enterprise. Despite the cost-effective nature of the wireless LAN implementation, there is a cost which cannot be easily quantified. Namely, the unsupervised deployment of a wireless LAN within a hardened wire-bound network can produce a security hole which otherwise can render existing security measures irrelevant while compromising the network as a whole.
In particular, as wireless LAN technology is a technology which is intrinsically bound to radio frequency communications, would-be intruders can access the underlying communications medium of a wireless LAN, even from a position which is external to the enterprise, such as a nearby building or street. Conventional wireless network LAN access points typically lack security features, such as firewall capability, IPSEC, and intrusion detection processors. To that end, the hacking technique referred to in the art as “wardriving” or “warchalking” has become popular. In the warchalking scenario, an intruder can case a building with a laptop equipped with a wireless LAN network card configured to detect the presence of a wireless LAN.
Upon detecting the wireless LAN, the intruder can determine whether the detected wireless LAN is an “open” connection to the Internet, a “partially open” network which is open only to internal enterprise traffic, or a fully “closed” network. Based upon the findings of the intruder, a chalk marking or some other such indicia can be placed upon the face of the building so that other would-be intruders can identify an open wireless LAN access point without having to perform a separate detection process. To the casual observer, the indicia will seem like mere graffiti. To the skilled artisan, and in particular to a hacker, the indicia will represent an open opportunity to illegally access the wireless LAN and to inflict damage to the network infrastructure.
From the end-user perspective, most have considered the problem of wireless LAN security simply by recommending that information technologists identify “rogue” wireless access points and subsequently disable them. By comparison, from the manufacturing perspective, many have considered adding additional security features to wireless LAN access points so as to authenticate users prior to granting access to those users through the wireless LAN. Still, secure authentication in the wireless context differs little from authentication in all other computing contexts. That is to say, secure authentication measures can be circumvented by the unauthorized intruder in a wireless network just as the unauthorized intruder can circumvent secure authentication measures in the wire-bound circumstance.
Notably, manufacturers have not considered the problem of wireless LAN security as one of geography. In that regard, it will be apparent to one skilled in the art that, in the case of warchalking, the obvious distinction between an authorized user and an unauthorized user of the wireless LAN usually correlates to the geographic position of the user. Where the user remains outside of the premises, there is a high probability that the user is not authorized to access the network. Similarly, where the user remains within the premises, there is an equally high probability that the user is authorized to access the network.
U.S. Pat. No. 6,116,688 issued on Dec. 26, 2000 to Cromer et al. (Cromer), addresses the problem of using a portable computer outside of an authorized geographical area. Specifically, the Cromer specification relates to the disablement of a portable computer when the portable computer falls outside an authorized, geographical area. To effectuate the solution proposed in Cromer, the Cromer specification requires the attachment of a geographical positioning system (GPS) receiver within the portable computer so as to detect the position of the computer. Still, the technology disclosed within the Cromer specification presupposes the cooperation of the possessor of the portable computer. When applied to the context of network security, however, it is not reasonable to presume that an intruder will voluntarily incorporate a client-side tool for identifying the position of the intruder.
Similarly, Symbol Technologies, Inc. of Holtsville, N.Y., United States manufactures the Spectrum24® Real Time Location System in which inventory in the factory distribution setting can be tracked within a wireless LAN so as to locate, track and manage materials, component inventory “from the receiving dock to the warehouse to the assembly line”. In furtherance of location function of the Spectrum24, Differential Time of Arrival (DTOA) technology can be applied in which the timing of the receipt of wirelessly transmitted identifiers from a transmitter can be associated with a particular location within a defined geographical area.
Nevertheless, the Spectrum24, like the Cromer technology, requires the coupling of an external device to the tracked asset. Specifically, whereas Cromer required that the portable computer incorporate a GPS receiver and client-side positioning logic, the Spectrum24 requires the affixation of a “Spectrum24 RTL Tag” to the article which is to be located. The tag itself can transmit the unique identifier to the wireless LAN access point upon which the DTOA analysis can be applied. Accordingly, neither the Cromer invention nor the Spectrum24 can be applied to the problem of wireless LAN security when considering unauthorized attempts to access a wireless LAN by an unknown intruder from a position falling geographically outside a permissible geographic boundary.